Topic: Information Security Risk Management Framework: China Aerospace Systems Engineering Corporation (Case Study) Supervisor: Dr. Raymond Choo Student:

Slides:



Advertisements
Similar presentations
1 of 21 Information Strategy Developing an Information Strategy © FAO 2005 IMARK Investing in Information for Development Information Strategy Developing.
Advertisements

The Department of Energy Enterprise Risk Management Model
AASHTO Internal Audit Conference 2012 – Phoenix Daniel Fodera, CMQ/OE Program Management Improvement Team Federal Highway Administration.
Achieve Benefit from IT Projects. Aim This presentation is prepared to support and give a general overview of the ‘How to Achieve Benefits from IT Projects’
Lisanne Sison Director ERM Bickmore
UNCLASSIFIED Cybercrime: The Australian Experience Australian Cybercrime Online Reporting Network (ACORN) Conference Assistant Commissioner Tim Morris.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
Control and Accounting Information Systems
David A. Brown Chief Information Security Officer State of Ohio
A Framework to Implement a National Cyber Security Structure for Developing Nations ID Ellefsen - SH von Solms - Academy.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information Security) Certified COBIT 5 Assessor /Certified.
Security Controls – What Works
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Session 2 World Bank Institute Katalin Demeter
ISO 17799&ITS APPLICATION Prepared by Çağatay Boztürk
COMP8130 and COMP4130 Adrian Marshall Verification and Validation Risk Management Adrian Marshall.
The Australian/New Zealand Standard on Risk Management
Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT INTRODUCTION TO GENERAL RISK MANAGEMENT 2.
First Practice - Information Security Management System Implementation and ISO Certification.
Risk Assessment Frameworks
61 What is hazard risk management?. 62 Emergency risk management is “a systematic process that produces a range of measures that contribute to the well.
Enterprise Risk ManagementSeptember 2010Miami, FL © 2010 Enterprise Risk Management Information Security- Facing the Risks in Electronic Channels and Social.
SEC835 Database and Web application security Information Security Architecture.
Social Media Jeevan Kaur, Michael Mai, Jing Jiang.
“Mitigating Offshoring Risks in a Global Business Environment“
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
National Cyber Security Awareness Month October 20, 2011 Cyber Security – Our Shared Responsibility.
Systems and Software Consortium | 2214 Rock Hill Road, Herndon, VA Phone: (703) | FAX: (703) Best.
Security Awareness Challenges of Securing Information No single simple solution to protecting computers and securing information Different types of attacks.
Cyber Security Nevada Businesses Overview June, 2014.
INCIDENT RESPONSE IMPLEMENTATION David Basham University of Advancing Technology Professor: Robert Chubbuck NTS435.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Environmental Management System Definitions
Combined Associations and Colleges State Health Conference Tasmania, 2007 Brian Johnston.
Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.
ABGR XI International Risk management and Insurance Seminar “Introduction to Risk Management” ALARYS Latin American Risk Management Foundation (FUNDALARYS)
New A.M. Best Cyber Questionnaire
SecSDLC Chapter 2.
Territory Insurance Conference, resilient future Mr Ralph Bönig, Special Counsel, Finlaysons Cyber Times and the Insurance Industry Territory Insurance.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Albany Bank Corporation Security Incident Management Program.
Deck 5 Accounting Information Systems Romney and Steinbart Linda Batch February 2012.
Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
CLOSE THE SECURITY GAP WITH IT SOLUTIONS FROM COMPUTACENTER AND CISCO AUGUST 2014.
Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.
EIC – Jornada ciberatacs cyber risk outlook June 2016.
Computer Science / Risk Management and Risk Assessment Nathan Singleton.
Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XIV)
Donald JG Chiarella, PhD, CISM, CDMP, PEM, CHS-CIA, MBA.
Cyber Security Phillip Davies Head of Content, Cyber and Investigations.
Security and resilience for Smart Hospitals Key findings
EAST AFRICAN DATA HANDLERS DATA SECURITY/MOBILITY
Information Security Program
An Overview on Risk Management
New A.M. Best Cyber Questionnaire
Cybersecurity - What’s Next? June 2017
Decrypting Data Compliance in China
I have many checklists: how do I get started with cyber security?
SAM GDPR Assessment <Insert partner logo here>
Cybersecurity compliance for attorneys
IS Risk Management Framework Overview
Strategic threat assessment
The Risk Management Process
Managing IT Risk in a digital Transformation AGE
Presentation transcript:

Topic: Information Security Risk Management Framework: China Aerospace Systems Engineering Corporation (Case Study) Supervisor: Dr. Raymond Choo Student: Jing Zhang

Background Research question Literature founding Case study Threat landscape Risk framework (Case study company) Comparison and improvement Conclusion Presentation outline

Cybercrime influence faced by company 75 billion USD financial losing each year in United States Target: E-commerce, sensitive information Attack type: spoofing, phishing, malware installation, etc. Reason: counterfeit software, employee security awareness, etc. Background

What are the (cyber) threat landscape and the emerging trends and challenges that would have an impact on the China Aerospace Systems Engineering Corporation (Case Study Company)? What are the limitations of existing information security risk management frameworks and/or how can existing frameworks be adapted in the Case Study Company? Research questions

Three international risk management frameworks: NIST sp (National institute of Standard and Technology) USA ISO (International Organization for Standardization) Australia ENISA (European Network and Information Security Agency) European country Literature finding

Terminology and risk management phases NIST sp800-30ISO 31000ENISA First phase Mandate and commitment Corporate risk management strategy Design of framework for managing risk Second phaseRisk assessment Implementing risk management Risk assessment Risk treatment Risk mitigation Risk acceptance (optional) Third phase Evaluation and assessment Monitoring and review of the framework Monitoring and review Continual improvement of the framework Literature finding (Cont’d)

NIST sp Literature finding (Cont’d)

ISO Literature finding (Cont’d)

ENISA Literature finding (Cont’d)

Threat landscape Phishing: online shopping, ticket selling, travelling agency, Internet banking Mobile device attacking: steal account, mobile banking information, unauthorised charging fee (premium SMS) Advanced Persistent Threat (APT): enterprise level attack, more specific target, sensitive information. Case study

Risk framework (Case study company) Risk management process: risk identification, risk analysis, risk treatment, control implementation, risk monitoring and control improvement, communication Risk identification: information assets (system, software, hardware, employee and archived data) Threat (Non-human, human) vulnerability (technical, operational, management) Risk analysis: Likelihood (attraction level of each information asset) and consequence (financial: both information value and recovery cost) Case study (Cont’d)

Risk framework (Case study company) Risk treatment: Control method: Risk avoidance, Risk transformation, Risk minimisation, Risk acceptance Control category: Technical control, Operation control, Management control Cost benefit analysis: Purchase cost, Continuing cost, Employee training cost Control implementation Implementation report: timeline, responsibility Risk monitoring and control improvement new risk treatment plan after review and monitoring Communication Case study (Cont’d)

Risk framework (Case study company) Implementation plan: Planning and preparation, Deployment and implementation, Monitoring and improvement Planning and preparation: Achieve the support: senior management team, related department (human, physical, financial and timing support) Main processor and responsibility: information security team, IT group, Human resources, Financial department Security control selection and implementation: Economic factor, Timing factor, Technical factor, Control implementation plan Case study (Cont’d)

Risk framework (Case study company) Deployment and implementation Security training: User training, Manager training, Security staff training Monitoring and improvement Mitigation plan: Internal and external network data exchange policy, Security auditing, Accessing control, etc. Case study (Cont’d)

Comparison and improvement: What feature missed in company framework: Context establishment (ISO and ENISA), system characterization (NIST), risk criteria (ISO) Motivation analysis (NIST), organisation processor, stakeholder concern and expertise decision, organisation risk attitude and tolerance (ISO 31000, ENISA) Cost benefit (NIST): implementing effect, non-implementing effect, implementing cost Positive risk (ENISA) Risk assessment and mitigation activity (NIST) Residual risk (all three frameworks) Case study (Cont’d)

Different perspective in some fields Still could improvement Risk management is vital in organisation activity Conclusion

E. G. Amoroso, "Cyber attacks: awareness," Network Security, vol. 2011, pp , E. E. Anderson and J. Choobineh, "Enterprise information security strategies," Computers & Security, vol. 27, pp , K. K. R. Choo, "Cyber threat landscape faced by financial and insurance industry." Trends and Issues in Crime and Criminal Justice 408: 1-6, B. Kakoli, P. Peter, K. M. Mykytyn, "A framework for integrated risk management in information technology", Management Decision, vol. 37 no: 5, pp.437 – 445, M. Burdon, B. Lane, and P. von Nessen, "The mandatory notification of data breaches: Issues arising for Australian and EU legal developments," Computer Law & Security Review, vol. 26, pp , K.K. R. Choo, "The cyber threat landscape: Challenges and future research directions," Computers & Security, vol. 30, pp , G. Locke, P. D. Gallagher, “Guide for applying the risk management framework to federal information system: a security life cycle approach”, NIST Special Publication , Standard. A and Standard. N. Z, “Risk management”, Standard Australia and Standard New Zealand, AS/NZS 4360:2004, N. I. S. A. European, “Risk Management: Implementation principles and Inventories for Risk Management/Risk Assessment methods and tools”, European Network and Information Security Agency, G. Stoneburner, A. Goguen, et al. "Risk management guide for information technology systems" NIST special publication 800(30): 800–830, Reference

Question?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.